CN108574687B - Communication connection establishment method and device, electronic equipment and computer readable medium - Google Patents

Communication connection establishment method and device, electronic equipment and computer readable medium Download PDF

Info

Publication number
CN108574687B
CN108574687B CN201710531463.4A CN201710531463A CN108574687B CN 108574687 B CN108574687 B CN 108574687B CN 201710531463 A CN201710531463 A CN 201710531463A CN 108574687 B CN108574687 B CN 108574687B
Authority
CN
China
Prior art keywords
server
information
target
communication
encryption algorithm
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201710531463.4A
Other languages
Chinese (zh)
Other versions
CN108574687A (en
Inventor
杨帆
李昶
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Kingsoft Cloud Network Technology Co Ltd
Beijing Kingsoft Cloud Technology Co Ltd
Original Assignee
Beijing Kingsoft Cloud Network Technology Co Ltd
Beijing Kingsoft Cloud Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Kingsoft Cloud Network Technology Co Ltd, Beijing Kingsoft Cloud Technology Co Ltd filed Critical Beijing Kingsoft Cloud Network Technology Co Ltd
Priority to CN201710531463.4A priority Critical patent/CN108574687B/en
Publication of CN108574687A publication Critical patent/CN108574687A/en
Application granted granted Critical
Publication of CN108574687B publication Critical patent/CN108574687B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0442Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply asymmetric encryption, i.e. different keys for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/161Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
    • H04L69/162Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer And Data Communications (AREA)

Abstract

The embodiment of the invention provides a communication connection establishing method, a communication connection establishing device and electronic equipment, which are applied to a communication server, wherein the method comprises the following steps: firstly, a communication server receives a connection request which is sent by a target client and used for establishing communication connection, and determines a target encryption algorithm according to the connection request; and then, the communication server sends first information to the target client based on the target encryption algorithm, receives second information which is fed back by the target client and encrypted by a target public key, then sends the second information to a third-party server, obtains third information based on the third-party server, and finally, the communication server generates the target secret key according to the third information and the target encryption algorithm to complete the establishment of the communication connection. By applying the embodiment of the invention, the processing speed of the communication server is improved.

Description

Communication connection establishment method and device, electronic equipment and computer readable medium
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method and an apparatus for establishing a communication connection, and an electronic device.
Background
With the development of internet technology, communication between a client and a server is more and more frequent, and generally speaking, the client and the server communicate based on various application protocols, for example, HTTPS (HyperText Transfer Protocol over Secure Socket Layer), HTTP (HTTP), and an effective communication connection establishment method is more and more important to improve the communication speed between the client and the server.
Taking handshake phase based on HTTPS protocol as an example, a process of establishing communication connection between a client and a WEB (World Wide WEB) server is described, specifically as follows: the method comprises the steps that a client sends a connection request for establishing communication connection to a WEB server, the WEB server determines that an encryption algorithm needs to be adopted when communicating with the client according to the connection request, and sends a certificate corresponding to the encryption algorithm to the client, the client encrypts information by using a public key contained in the certificate and sends the encrypted information to the WEB server, the WEB server decrypts the information encrypted by the client by using a private key corresponding to the public key stored in the WEB server, original information is restored, and a secret key is generated based on the original information, so that the communication connection in a handshake stage is completed.
At present, in order to improve the response speed of the server and to improve the communication speed between the client and the server, the main method is: an SSL (Secure Sockets Layer) accelerator card is added on the server, a certificate sent to the client by the server is stored in the accelerator card, and the work related to information decryption is also completed by the accelerator card, so that the response speed of the server can be improved. However, if the number of connection requests to be processed by the server is small, the SSL accelerator card resource is wasted; if the requests based on the HTTPS protocol are too many and limited by the hardware of the server, the SSL acceleration card cannot be dynamically expanded, so that a communication connection establishing method capable of improving the processing speed of the server without being limited by the hardware of the server is needed.
Disclosure of Invention
The embodiment of the invention aims to provide a communication connection establishing method, a communication connection establishing device and electronic equipment, so as to improve the processing speed of a communication server. The specific technical scheme is as follows:
in order to achieve the above object, an embodiment of the present invention discloses a communication connection establishing method, which is applied to a communication server, where the communication server stores a correspondence between an encryption algorithm and a certificate in advance, and the method includes:
receiving a connection request sent by a target client for establishing communication connection, wherein the connection request comprises an encryption algorithm set which can be supported by the target client;
determining a target encryption algorithm according to the connection request;
based on the target encryption algorithm, sending first information to the target client, and receiving second information which is fed back by the target client and encrypted by using a target public key, wherein the first information comprises a target certificate, and the target certificate comprises the target public key of the target encryption algorithm;
sending the second information to a third-party server, and obtaining third information based on the third-party server, wherein the third information is generated by decrypting the second information according to a target private key corresponding to the target public key;
and generating the target key according to the third information and the target encryption algorithm to complete the establishment of the communication connection.
Optionally, after sending the second information to the third-party server, the method further includes:
and processing connection requests sent by clients except the target client for establishing communication connection.
Optionally, the communication server is: the WEB server, the connection request is: connection request based on HTTPS protocol.
Optionally, the third-party server is: a third party server cluster comprising a load balancing server and at least one computing server other than the load balancing server,
the sending the second information to a third-party server, and obtaining third information based on the third-party server includes:
sending the second information to a load balancing server in the third-party server cluster, so that the load balancing server selects one computing server from the third-party server cluster as a target computing server, and sending the second information to the target computing server;
and receiving third information fed back by the target computing server according to the second information.
Optionally, the method further includes:
and sending removal information for removing the computing server to a load balancing server in the third-party server cluster, so that the load balancing server removes the computing server from the third-party server cluster according to the removal information.
Optionally, the method further includes:
and sending adding information for adding a computing server to a load balancing server in the third-party server cluster, so that the load balancing server adds the computing server to the third-party server cluster according to the adding information.
In order to achieve the above object, an embodiment of the present invention further discloses a communication connection establishing apparatus, which is applied to a communication server, where a correspondence between an encryption algorithm and a certificate is stored in advance in the communication server, and the apparatus includes:
the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving a connection request which is sent by a target client and used for establishing communication connection, and the connection request comprises an encryption algorithm set which can be supported by the target client;
the determining module is used for determining a target encryption algorithm according to the connection request;
the first sending module is used for sending first information to the target client based on the target encryption algorithm and receiving second information which is fed back by the target client and encrypted by using a target public key, wherein the first information comprises a target certificate, and the target certificate comprises the target public key of the target encryption algorithm;
the second sending module is used for sending the second information to a third-party server and obtaining third information based on the third-party server, wherein the third information is generated by decrypting the second information according to a target private key corresponding to the target public key;
and the generating module is used for generating the target key according to the third information and the target encryption algorithm to complete the establishment of the communication connection.
Optionally, the apparatus further comprises:
and the processing module is used for processing a connection request which is sent by the client except the target client and is used for establishing communication connection after the second information is sent to the third-party server.
Optionally, the communication server is: the WEB server, the connection request is: connection request based on HTTPS protocol.
Optionally, the third-party server is: a third party server cluster, the third party server cluster comprising: a load balancing server and at least one computing server other than the load balancing server,
the second sending module is further configured to:
sending the second information to a load balancing server in the third-party server cluster, so that the load balancing server selects one computing server from the third-party server cluster as a target computing server, and sending the second information to the target computing server;
and receiving third information fed back by the target computing server according to the second information.
Optionally, the apparatus further comprises:
a third sending module, configured to send removal information for removing a computing server to a load balancing server in the third-party server cluster, so that the load balancing server removes the computing server from the third-party server cluster according to the removal information.
Optionally, the apparatus further comprises:
and the fourth sending module is used for sending the adding information for adding the computing server to the load balancing server in the third-party server cluster, so that the load balancing server adds the computing server to the third-party server cluster according to the adding information.
In order to achieve the above object, an embodiment of the present invention further provides an electronic device, including: the system comprises a processor, a communication interface, a memory and a communication bus, wherein the processor, the communication interface and the memory complete mutual communication through the communication bus;
a memory for storing a computer program;
the processor is configured to implement the steps of the communication connection establishment method provided by the embodiment of the present invention when executing the program stored in the memory.
In order to achieve the above object, an embodiment of the present invention further provides a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, and the computer program, when executed by a processor, implements the steps of the communication connection establishment method provided by the embodiment of the present invention.
As can be seen from the above, in the method and apparatus for establishing a communication connection provided in the embodiments of the present invention, first, a communication server receives a connection request for establishing a communication connection sent by a target client, and determines a target encryption algorithm according to the connection request; and then, the communication server sends first information to the target client based on the target encryption algorithm, receives second information which is fed back by the target client and encrypted by a target public key, then sends the second information to a third-party server, obtains third information based on the third-party server, and finally, the communication server generates the target secret key according to the third information and the target encryption algorithm to complete the establishment of the communication connection.
Therefore, by applying the technical scheme provided by the embodiment of the invention, in the process of establishing communication connection between the target client and the communication server, the operation of executing decryption information by using the private key is not required to be completed by the communication server, so that the time and system resources consumed by using the private key to decrypt the information are saved, the processing speed of the communication server is improved, and further, the number of third-party servers completing the operation of decrypting the information by using the private key can be dynamically adjusted, so that the communication server can flexibly adjust the processing speed according to the connection request to be processed.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a flowchart illustrating a communication connection establishment method according to an embodiment of the present invention;
fig. 2 is a schematic diagram illustrating a method for establishing a communication connection according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a communication connection establishing apparatus according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to solve the problem of the prior art, embodiments of the present invention provide a communication connection establishment method, an apparatus, and an electronic device. First, a communication connection establishing method provided in an embodiment of the present invention is described in detail below.
It should be noted that the communication connection establishing method provided in the embodiment of the present invention may be applied to a communication server, where the communication server stores a correspondence between an encryption algorithm and a certificate in advance. Fig. 1 is a flowchart illustrating a method for establishing a communication connection according to an embodiment of the present invention, where the method includes:
s101, receiving a connection request sent by a target client for establishing communication connection.
The connection request comprises an encryption algorithm set which can be supported by the target client.
Common encryption algorithms include: RSA Encryption algorithm, ECDH Encryption algorithm, DH (Diffie-Hellman) Encryption algorithm, AES (Advanced Encryption Standard) Encryption algorithm, and the like. The RSA encryption algorithm is a typical asymmetric encryption algorithm, which is based on a factorization mathematical problem of a large number, and is also the most widely applied asymmetric encryption algorithm at present, and the ECDH is a DH encryption algorithm based on an ECC (Elliptic Curve cryptosystem ). In the embodiment of the present invention, the encryption algorithm set that can be supported by the target client is not limited, for example, the encryption algorithm set that can be supported by the target client may be: the RSA encryption algorithm, ECDH encryption algorithm, AES encryption algorithm may also be: RSA encryption algorithm, ECDH encryption algorithm.
Specifically, the communication server may be: the WEB server and the connection request can be as follows: connection request based on HTTPS protocol.
In practical application, the WEB server may be: nginx, Nginx ("engine x"), is a lightweight Web server/reverse proxy server with high concurrency capable of supporting responses up to 50,000 concurrent connections.
S102, determining a target encryption algorithm according to the connection request.
It should be noted that the communication server may determine the target encryption algorithm to be used for communication with the target client according to the set of encryption algorithms that can be supported by the target client and is carried in the connection request. The embodiment of the invention does not limit the mode of determining the target encryption algorithm. For example, the way to determine the target encryption algorithm may be: the communication server randomly selects an encryption algorithm which can be supported by the communication server from an encryption algorithm set which can be supported by the target client as a target encryption algorithm to be adopted for communication with the target client; the following steps can be also included: the communication server selects an encryption algorithm which can be supported by the communication server from the encryption algorithm set which can be supported by the target client and has the lowest algorithm complexity as a target encryption algorithm to be adopted for communication with the target client.
For example, the set of encryption algorithms that the target client can support may be: the RSA encryption algorithm, the ECDH encryption algorithm, the AES encryption algorithm, and the set of encryption algorithms that the communication server can support may be: the communication server can randomly select the ECDH encryption algorithm as the target encryption algorithm from the encryption algorithms supported by the target client, namely the RSA encryption algorithm and the ECDH encryption algorithm.
S103, based on the target encryption algorithm, first information is sent to the target client, and second information which is fed back by the target client and encrypted by the target public key is received.
The first information comprises a target certificate, and the target certificate comprises a target public key of a target encryption algorithm.
Because the correspondence between the encryption algorithm and the certificate is stored in the communication server in advance, after the communication server determines the target encryption algorithm, the target certificate corresponding to the target encryption algorithm is determined according to the correspondence, the target certificate is obtained, and the target certificate can be packaged into the first information and sent to the target client.
In practical applications, the certificate may be stored in the communication server, or may be stored in a server other than the communication server. When the certificate is stored in the communication server, the method for obtaining the target certificate comprises the following steps: the communication server directly obtains a target certificate; when the certificate is stored in a server other than the communication server, the target certificate is obtained by the following method: and sending a request for acquiring the target certificate to other servers, and receiving the target certificate fed back by the other servers according to the acquisition request.
In order to facilitate the unified management and maintenance of the certificate and simplify the process of obtaining the certificate by the communication server, in a specific embodiment, the certificate may be uniformly stored in the communication server.
In practical applications, besides the target public key information, the designer may design the encoding mode of the certificate and other contents included in the certificate according to his own requirements, and the embodiment of the present invention does not limit the specific encoding mode of the certificate and the contents included in the certificate. For example, the certificate may be encoded in the following manner: the certificate encoded by the binary encoding method may be: the certificate encoded by the BASE64 encoding method may contain other information besides public key information, such as the issuing authority of the certificate, expiration time, etc.
In practical applications, the first information may include other contents according to the characteristics of the target encryption algorithm, except for the target certificate, and the present invention does not limit the other contents included in the first information. For example, when the target encryption algorithm is an ECDH encryption algorithm, the first information further includes a first random number, and the first random number may be: the communication server utilizes a random number generated by a random function. Specifically, the communication server may generate a random number using a rand () random function or a srand () random function.
It should be noted that, after receiving the first information, the target client may verify whether the target certificate is a valid certificate, and after verifying that the target certificate is a valid certificate, the target client may encrypt the original information by using a target public key included in the target certificate to obtain the second information, where the original information may be: and the target client generates a second random number by using the random function. The first random number generated by the communication server and the second random number generated by the target client may have the same or different values.
In practical applications, the method for verifying the target certificate by the target client and the method for generating the random number by the target client by using the random function can be designed according to the requirements of designers. For example, the target client may verify the target certificate by verifying whether the authority issuing the certificate is legal, whether the website address included in the certificate is consistent with the address being accessed, and the like; the target client may generate a random number using a rand () random function or a srand () random function.
And S104, sending the second information to a third-party server, and acquiring third information based on the third-party server.
And the third information is obtained by decrypting the second information according to the target private key corresponding to the target public key.
It is to be understood that the third party server may be: a certain server independent of the communication server and the target client may also be: a third server cluster independent of the communication server and the target client, the third server cluster comprising: a load balancing server and at least one computing server other than the load balancing server. The embodiment of the invention does not limit the existence form of the third-party server.
When the third-party server is a server independent from the communication server and the target client, obtaining the third information based on the third-party server may be: and obtaining the third information sent by the third-party server, namely a certain server.
It can be understood that the second information includes a target encryption algorithm identifier, the third-party server obtains the target encryption algorithm identifier from the second information, and queries an encryption algorithm identifier that is the same as the target encryption algorithm identifier from a corresponding relationship between the pre-stored encryption algorithm identifier and a private key, so as to determine the target private key that is needed to decrypt the second information, and thus, the target private key is used to decrypt the second information to generate the third information.
In practical application, in order to improve the security of information transmission, after receiving the second information, the third-party server may further perform signature authentication on the second information to determine whether the content in the second information is tampered, and if the content in the second information is not tampered, it indicates that the third information generated by using the second information is consistent with the original information of the client, and further may send the generated third information to the communication server. The embodiment of the present invention does not limit the specific process of performing signature authentication work, for example, the process of performing signature authentication work may be: and obtaining the hash values of the original information and the third information, if the hash values of the original information and the third information are the same, determining that the content in the second information is not tampered, and passing the signature authentication, otherwise, failing to pass the signature authentication.
In addition, when the third party server is: when the third-party server clusters, the second information is sent to the third-party server, and third information is obtained based on the third-party server, which may be:
sending the second information to a load balancing server in the third-party server cluster so that the load balancing server selects one computing server from the third-party server cluster as a target computing server, and sending the second information to the target computing server; and receiving third information fed back by the target computing server according to the second information.
It should be noted that the target private key and the target public key are in one-to-one correspondence, information encrypted by the target public key can be decrypted only by the target private key, and since the second information is information encrypted by the target public key, only the target computing server storing the target private key can decrypt the second information to generate third information. In practical applications, the private key sets stored in each computing server may be the same or different. The embodiment of the present invention is not limited thereto. Specifically, in order to simplify the policy of selecting the computing servers in the cluster by the load balancing server, the private key sets stored in each computing server may be designed to be the same, for example, the private keys included in the private key set stored in each computing server are: the private key of the RSA encryption algorithm and the private key of the ECDH encryption algorithm.
Similarly, the second information includes a target encryption algorithm identifier, the computing server in the third-party server cluster obtains the target encryption algorithm identifier from the second information, and queries the encryption algorithm identifier identical to the target encryption algorithm identifier from the corresponding relationship by using the corresponding relationship in which the encryption algorithm identifier and the private key are stored in advance, so as to determine the target private key to be used for decrypting the second information, and thus, the target private key is used for decrypting the second information to generate the third information.
In practical application, after receiving the second information, the computing server may further perform signature authentication on the second information to determine whether the content in the second information is tampered, and if the content in the second information is not tampered, it indicates that the third information generated by using the second information is consistent with the original information of the client, and further may send the generated third information to the communication server.
When the third-party server generates the third information, only the target private key stored in the third-party server is needed, and a communication protocol and a target certificate adopted in the process of establishing communication connection between the communication server and the target client do not need to be obtained, so that the process of generating the third information by the third server is simplified, and the third server is convenient to maintain the performance of the third server.
It can be seen that, in the embodiment of the present invention, the third-party server is used as an asynchronous hardware agent to calculate the private key and/or the signature, instead of the prior art, a manner of calculating the private key and/or the signature by adding the SSL accelerator card to the communication server is used, so that a part of offload of the CPU of the communication server, which is the most lossy in the process of establishing the communication connection, is realized and completed by the third-party server, thereby improving the performance of the communication server.
In practical application, a designer may set the number of the load balancing servers and the number of the computation servers in the third-party server cluster according to practical situations.
In order to avoid that the target client excessively occupies system resources, which results in blocking connection requests sent by other clients, after the first information is sent to the third-party server, the method may further include:
and processing connection requests sent by clients except the target client for establishing the communication connection.
Therefore, after the communication server sends the first information to the third-party server, the communication server can process the connection request sent by the client except the target client, so that the asynchronous processing of the connection request is realized, the time and system resources wasted by the communication server due to waiting for obtaining the third information are saved, and the processing speed of the communication server is further improved.
And S105, generating a target key according to the third information and the target encryption algorithm, and finishing the establishment of the communication connection.
It should be noted that the target encryption algorithm corresponds to a key generation method, and the key generation methods corresponding to different encryption algorithms are different.
For example, the key generation method corresponding to the target encryption algorithm is as follows: if the obtained third information is directly used as the target key, the generation of the target key according to the third information and the target encryption algorithm may be: directly using the third information as a target key, or if the key generation method corresponding to the target encryption algorithm is: taking the result obtained by multiplying the third information by the preset value as the target key, the step of generating the target key by the communication server according to the third information and the target encryption algorithm may be: and taking the result of multiplying the third information by a preset value as a target key. The preset value may be different according to the encryption algorithm, for example, when the target encryption algorithm is an ECDH encryption algorithm, the preset value may be the first random number generated by the communication server.
Illustratively, the preset value in the target encryption algorithm is 3, the second information is 5, and the corresponding key generation method in the target encryption algorithm is as follows: taking the result of multiplying the second information by a preset value as a target key, wherein the target key is as follows: 3 x 5-15.
The target client may generate the target key from the original information and the target encryption algorithm at the same time as the communication server generates the target key, and since the third information matches the original information, the key generated at the target client is the same as the key generated at the communication server.
After the communication server and the target client generate the target key respectively, the communication server is considered to complete the communication connection establishment process with the target client, and then the subsequent communication process between the target key and the target client can be started.
For example, the communication process may be: the target client side needs to encrypt the message by using a target key of the target client side and sends the encrypted message to the communication server, and the communication server needs to decrypt the received message by using the target key generated by the communication server; on the contrary, when the communication server sends information to the target client, the communication server encrypts the information by using the target key generated by itself, so that the target client decrypts the received information by using the target key generated by itself.
The step of generating the third information is completed by the third server, and the step of generating the target key according to the third information and the target encryption algorithm is completed by the communication server, so that the step of generating the third information and the step of generating the target key are decoupled, and the process of generating the target key by the communication server is simplified.
The embodiment of the invention does not limit the name of the third-party server. For example, in practical applications, the name of the third-party server may be: the keysever server can also be: a certificate server. In order to simplify the implementation of the third-party server generating the third information, the specific implementation may be: openssl open source software is used on a highly configured third-party server (e.g., a keysever server), so that the purpose of calculating the private key and generating third information through an asynchronous agent of the third-party server is achieved.
openssl open source software is a security development kit based on cryptography, and can be divided into three parts according to functional division: an SSL protocol library, an application, and a cryptographic algorithm library. The functions provided by openssl are quite powerful and comprehensive, including the main cryptographic algorithm, the common key and certificate encapsulation management function and the SSL protocol, and providing rich applications for testing or other purposes, so that by using openssl open-source software, designers can conveniently and quickly develop applications for generating third information.
In order to dynamically adjust the number of computing servers in the third-party server cluster so that the communication server can appropriately reduce the number of computing servers according to the processed connection request, the method may further include:
and sending removal information for removing the computing server to a load balancing server in the third-party server cluster, so that the load balancing server removes the computing server from the third-party server cluster according to the removal information.
Specifically, when the communication server detects that the connection request to be processed becomes small within a period of time, the communication server may send removal information to the load balancing server, so that the load balancing server removes the computing server specified in the removal information from the third party server cluster. The embodiment of the present invention does not limit the content included in the removal information. For example, the removal information may include only a first number of computing servers that need to be removed, and the load balancing server may randomly select and remove the first number of computing servers from the third-party server cluster; alternatively, the removal information may include identification information of the computing server that needs to be removed, and the load balancing server may determine and remove the computing server corresponding to the identification information.
In addition, the embodiment of the present invention does not limit the manner in which the load balancing server removes the computing server.
For example, one possible removal may be: the load balancing server includes an information table for managing the computing servers, the information table stores node information corresponding to the computing servers, and when the load balancing server deletes certain node information from the information table, the computing server corresponding to the node can be considered to be removed from the third-party server cluster.
Further, in order to dynamically adjust the number of computing servers in the third-party server cluster, so that the communication server can appropriately increase the number of computing servers according to the processed connection request, the method may further include:
and sending the adding information for newly adding the computing server to a load balancing server in the third-party server cluster, so that the load balancing server newly adds the computing server to the third-party server cluster according to the adding information.
Specifically, when the communication server detects that the number of connection requests to be processed increases within a period of time, the communication server may send addition information to the load balancing server, so that the load balancing server newly adds a computing server to the third-party server cluster according to the addition information. The embodiment of the present invention does not limit the content included in the added information. For example, the addition information may only include a second number of computing servers that need to be added to the third-party server cluster, and the load balancing server may randomly select the second number of computing servers from the backup computing server cluster and add the second number of computing servers to the third-party server cluster; or, the added information may include identification information of a computing server that needs to be added to the third-party server cluster, and the load balancing server may determine a computing server corresponding to the identification information from the backup computing server cluster and add the computing server to the third-party server cluster.
In addition, the embodiment of the invention does not limit the way of adding the computing server to the load balancing server.
Similarly, the specific addition may be: the load balancing server includes an information table for managing the computing servers, the information table stores node information corresponding to the computing servers, and when a certain node information is newly added from the information table by the load balancing server, the computing server corresponding to the node can be considered to be added to the third-party server cluster.
By dynamically adjusting the number of the computing servers in the third-party server cluster, the communication server can flexibly adjust the processing speed of the connection request according to the processed connection request, so that the resource waste of the SSL accelerator card is avoided, the limitation of the communication server hardware is avoided, and the number of the computing servers is dynamically expanded to deal with the connection request to be processed.
Therefore, by applying the technical scheme provided by the embodiment of the invention, in the process of establishing communication connection between the target client and the communication server, the operation of executing decryption information by using the private key is not required to be completed by the communication server, so that the time and system resources consumed by using the private key to decrypt the information are saved, the processing speed of the communication server is improved, and further, the number of third-party servers completing the operation of decrypting the information by using the private key can be dynamically adjusted, so that the communication server can flexibly adjust the processing speed according to the connection request to be processed.
The following presents a simplified summary of an embodiment of the invention by way of a specific example.
The communication connection establishment method provided by the embodiment of the invention is applied to a certain WEB server, and the establishment process of the communication connection is shown in figure 2.
A connection request which is sent by a target Client to a WEB server and is used for establishing communication connection, wherein the connection request comprises a Client random number (Client random) generated by the target Client and an encryption algorithm set which can be supported by the target Client;
after receiving the connection request, the WEB server obtains the Client random included in the connection request and an encryption algorithm set which can be supported by the target Client: RSA encryption algorithm, ECDH encryption algorithm and AES encryption algorithm, wherein the WEB server is integrated according to the encryption algorithm which can be supported by the WEB server: the RSA encryption algorithm and the ECDH encryption algorithm are selected from encryption algorithms supported by the target client side together, namely the ECDH encryption algorithm is randomly selected from the RSA encryption algorithm and the ECDH encryption algorithm to serve as the target encryption algorithm.
After determining that the ECDH encryption algorithm is used as a target encryption algorithm, the WEB Server sends first information to a target client, wherein the first information comprises a target certificate corresponding to the target encryption algorithm, a Server random number (Server random) generated by the Server and a Server DH parameter with a Server signature, the Server DH parameter is a parameter generated by the WEB Server according to the ECDH encryption algorithm, the WEB Server sends a signature request to a third-party Server (keyserver Server) and obtains a Server signature sent by the third-party Server according to the signature request, and the WEB Server signs the Server DH parameter by using the Server signature to obtain the Server DH parameter with the Server signature. Specifically, the signature request includes a Client random and a Server random, the third-party Server calculates and obtains a Server signature by using the obtained Client random and the Server random according to a signature calculation method set in an ECDH encryption algorithm, and then the third-party Server sends the Server signature to the WEB Server.
After determining that the target certificate is a valid certificate, the target Client decrypts the Server signature to obtain a Server DH parameter by using the Client random and the Server random according to a reverse signature calculation method set in an ECDH encryption algorithm, generates a Client DH parameter according to the ECDH encryption algorithm, and sends second information to the Server, wherein the second information comprises the Client DH parameter encrypted by a target public key carried by the target certificate.
And after receiving the second information, the WEB server sends the second information to a third party server, and the third party server decrypts the second information by using a target private key which is stored in the third party server and corresponds to the target public key to obtain a ClientDH parameter and sends the ClientDH parameter to the WEB server.
The WEB Server calculates to obtain a Premaster parameter according to a calculation formula specified in an ECDH encryption algorithm by using the ServerDH parameter and the obtained ClientDH parameter, generates a target key (session key) according to the Client random, the Server random and the Premaster parameter and the calculation formula generated by the Premaster parameter according to a key specified in the ECDH encryption algorithm, and completes the process of establishing communication connection with the target Client.
Therefore, in the process of establishing communication connection between the target client and the communication server, the third-party server executes the operations of decryption information and signature calculation by using the private key without being executed by the communication server, so that the time and system resources consumed by decrypting information by using the private key are saved, and the processing speed of the server is improved.
Corresponding to the communication connection establishing method, the embodiment of the invention also provides a communication connection establishing device.
Corresponding to the embodiment of the method shown in fig. 1, fig. 3 is a schematic structural diagram of a communication connection establishing apparatus according to an embodiment of the present invention, where the apparatus is applied to a communication server, and the apparatus may include:
a receiving module 301, configured to receive a connection request sent by a target client for establishing a communication connection, where the connection request includes an encryption algorithm set that can be supported by the target client;
a determining module 302, configured to determine a target encryption algorithm according to the connection request;
a first sending module 303, configured to send first information to the target client based on the target encryption algorithm, and receive second information that is fed back by the target client and encrypted by using a target public key, where the first information includes a target certificate, and the target certificate includes the target public key of the target encryption algorithm;
a second sending module 304, configured to send the second information to a third-party server, and obtain third information based on the third-party server, where the third information is generated by decrypting the second information according to a target private key corresponding to the target public key;
a generating module 305, configured to generate the target key according to the third information and the target encryption algorithm, so as to complete establishment of the communication connection.
Therefore, by applying the technical scheme provided by the embodiment of the invention, in the process of establishing communication connection between the target client and the communication server, the operation of executing decryption information by using the private key is not required to be completed by the communication server, so that the time and system resources consumed by using the private key to decrypt the information are saved, the processing speed of the communication server is improved, and further, the number of third-party servers completing the operation of decrypting the information by using the private key can be dynamically adjusted, so that the communication server can flexibly adjust the processing speed according to the connection request to be processed.
Wherein the apparatus further comprises:
and the processing module is used for processing a connection request which is sent by the client except the target client and is used for establishing communication connection after the second information is sent to the third-party server.
Wherein, the communication server is: the WEB server, the connection request is: connection request based on HTTPS protocol.
Wherein the third party server is: a third party server cluster, the third party server cluster comprising: a load balancing server and at least one computing server other than the load balancing server,
the second sending module 304 is further configured to:
sending the second information to the load balancing server, so that the load balancing server selects one computing server from the third-party server cluster as a target computing server, and sends the second information to the target computing server; and receiving third information fed back by the target computing server according to the second information.
Wherein the apparatus further comprises:
a third sending module, configured to send removal information for removing a computing server to a load balancing server in the third-party server cluster, so that the load balancing server removes the computing server from the third-party server cluster according to the removal information.
Wherein the apparatus further comprises:
and the fourth sending module is used for sending the adding information for adding the computing server to the load balancing server in the third-party server cluster, so that the load balancing server adds the computing server to the third-party server cluster according to the adding information.
An embodiment of the present invention further provides an electronic device, as shown in fig. 4, including a processor 401, a communication interface 402, a memory 403, and a communication bus 404, where the processor 401, the communication interface 402, and the memory 403 complete mutual communication through the communication bus 404,
a memory 403 for storing a computer program;
the processor 401 is configured to implement the communication connection establishment method provided in the embodiment of the present invention when executing the program stored in the memory 403, and specifically, the communication connection establishment method includes the following steps:
receiving a connection request sent by a target client for establishing communication connection, wherein the connection request comprises an encryption algorithm set which can be supported by the target client;
determining a target encryption algorithm according to the connection request;
based on the target encryption algorithm, sending first information to the target client, and receiving second information which is fed back by the target client and encrypted by using a target public key, wherein the first information comprises a target certificate, and the target certificate comprises the target public key of the target encryption algorithm;
sending the second information to a third-party server, and obtaining third information based on the third-party server, wherein the third information is generated by decrypting the second information according to a target private key corresponding to the target public key;
and generating the target key according to the third information and the target encryption algorithm to complete the establishment of the communication connection.
Optionally, after sending the second information to the third-party server, the method further includes:
and processing connection requests sent by clients except the target client for establishing communication connection.
Optionally, the communication server is: the WEB server, the connection request is: connection request based on HTTPS protocol.
Optionally, the third-party server is: a third party server cluster comprising a load balancing server and at least one computing server other than the load balancing server,
the sending the second information to a third-party server, and obtaining third information based on the third-party server includes:
sending the second information to a load balancing server in the third-party server cluster, so that the load balancing server selects one computing server from the third-party server cluster as a target computing server, and sending the second information to the target computing server;
and receiving third information fed back by the target computing server according to the second information.
Optionally, the method further includes:
and sending removal information for removing the computing server to a load balancing server in the third-party server cluster, so that the load balancing server removes the computing server from the third-party server cluster according to the removal information.
Optionally, the method further includes:
and sending adding information for adding a computing server to a load balancing server in the third-party server cluster, so that the load balancing server adds the computing server to the third-party server cluster according to the adding information.
The communication bus mentioned in the electronic device may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The communication bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface is used for communication between the electronic equipment and other equipment.
The Memory may include a Random Access Memory (RAM) or a Non-Volatile Memory (NVM), such as at least one disk Memory. Optionally, the memory may also be at least one memory device located remotely from the processor.
The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components.
The embodiment of the present invention further provides a computer-readable storage medium, in which a computer program is stored, and the computer program, when executed by a processor, implements the steps of the communication connection establishment method provided in the embodiment of the present invention.
It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
All the embodiments in the present specification are described in a related manner, and the same and similar parts among the embodiments may be referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, as for the embodiments of the apparatus and the electronic device, since they are substantially similar to the embodiments of the method, the description is simple, and the relevant points can be referred to only in the partial description of the embodiments of the method.
The above description is only for the preferred embodiment of the present invention, and is not intended to limit the scope of the present invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention shall fall within the protection scope of the present invention.

Claims (14)

1. A communication connection establishing method is applied to a communication server, wherein the communication server stores a corresponding relation between an encryption algorithm and a certificate in advance, and the method comprises the following steps:
receiving a connection request sent by a target client for establishing communication connection, wherein the connection request comprises an encryption algorithm set which can be supported by the target client;
determining a target encryption algorithm according to the connection request;
based on the target encryption algorithm, sending first information to the target client, and receiving second information which is fed back by the target client and encrypted by using a target public key, wherein the first information comprises a target certificate, and the target certificate comprises the target public key of the target encryption algorithm;
sending the second information to a third-party server, and obtaining third information based on the third-party server, wherein the third information is generated by decrypting the second information according to a target private key corresponding to the target public key;
and generating a target key according to the third information and the target encryption algorithm to complete the establishment of the communication connection.
2. The method of claim 1, wherein after sending the second information to the third-party server, the method further comprises:
and processing connection requests sent by clients except the target client for establishing communication connection.
3. The method of claim 1, wherein the communication server is: the WEB server, the connection request is: connection request based on HTTPS protocol.
4. The method of claim 1, wherein the third party server is: a third party server cluster, the third party server cluster comprising: a load balancing server and at least one computing server other than the load balancing server,
the sending the second information to a third-party server, and obtaining third information based on the third-party server includes:
sending the second information to a load balancing server in the third-party server cluster, so that the load balancing server selects one computing server from the third-party server cluster as a target computing server, and sending the second information to the target computing server;
and receiving third information fed back by the target computing server according to the second information.
5. The method of claim 4, further comprising:
and sending removal information for removing the computing server to a load balancing server in the third-party server cluster, so that the load balancing server removes the computing server from the third-party server cluster according to the removal information.
6. The method of claim 4, further comprising:
and sending adding information for adding a computing server to a load balancing server in the third-party server cluster, so that the load balancing server adds the computing server to the third-party server cluster according to the adding information.
7. A communication connection establishment apparatus applied to a communication server that stores in advance a correspondence relationship between an encryption algorithm and a certificate, comprising:
the system comprises a receiving module, a sending module and a receiving module, wherein the receiving module is used for receiving a connection request which is sent by a target client and used for establishing communication connection, and the connection request comprises an encryption algorithm set which can be supported by the target client;
the determining module is used for determining a target encryption algorithm according to the connection request;
the first sending module is used for sending first information to the target client based on the target encryption algorithm and receiving second information which is fed back by the target client and encrypted by using a target public key, wherein the first information comprises a target certificate, and the target certificate comprises the target public key of the target encryption algorithm;
the second sending module is used for sending the second information to a third-party server and obtaining third information based on the third-party server, wherein the third information is generated by decrypting the second information according to a target private key corresponding to the target public key;
and the generating module is used for generating a target key according to the third information and the target encryption algorithm to complete the establishment of the communication connection.
8. The apparatus of claim 7, further comprising:
and the processing module is used for processing a connection request which is sent by the client except the target client and is used for establishing communication connection after the second information is sent to the third-party server.
9. The apparatus of claim 7, wherein the communication server is: the WEB server, the connection request is: connection request based on HTTPS protocol.
10. The apparatus of claim 7, wherein the third party server is: a third party server cluster, the third party server cluster comprising: a load balancing server and at least one computing server other than the load balancing server,
the second sending module is further configured to:
sending the second information to a load balancing server in the third-party server cluster, so that the load balancing server selects one computing server from the third-party server cluster as a target computing server, and sending the second information to the target computing server;
and receiving third information fed back by the target computing server according to the second information.
11. The apparatus of claim 10, further comprising:
a third sending module, configured to send removal information for removing a computing server to a load balancing server in the third-party server cluster, so that the load balancing server removes the computing server from the third-party server cluster according to the removal information.
12. The apparatus of claim 10, further comprising:
and the fourth sending module is used for sending the adding information for adding the computing server to the load balancing server in the third-party server cluster, so that the load balancing server adds the computing server to the third-party server cluster according to the adding information.
13. An electronic device is characterized by comprising a processor, a communication interface, a memory and a communication bus, wherein the processor and the communication interface are used for realizing mutual communication by the memory through the communication bus;
a memory for storing a computer program;
a processor for implementing the method steps of any of claims 1-6 when executing a program stored in the memory.
14. A computer-readable storage medium, characterized in that a computer program is stored in the computer-readable storage medium, which computer program, when being executed by a processor, carries out the method steps of any one of claims 1 to 6.
CN201710531463.4A 2017-07-03 2017-07-03 Communication connection establishment method and device, electronic equipment and computer readable medium Active CN108574687B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710531463.4A CN108574687B (en) 2017-07-03 2017-07-03 Communication connection establishment method and device, electronic equipment and computer readable medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710531463.4A CN108574687B (en) 2017-07-03 2017-07-03 Communication connection establishment method and device, electronic equipment and computer readable medium

Publications (2)

Publication Number Publication Date
CN108574687A CN108574687A (en) 2018-09-25
CN108574687B true CN108574687B (en) 2020-11-27

Family

ID=63576080

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710531463.4A Active CN108574687B (en) 2017-07-03 2017-07-03 Communication connection establishment method and device, electronic equipment and computer readable medium

Country Status (1)

Country Link
CN (1) CN108574687B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109088889B (en) * 2018-10-16 2021-07-06 深信服科技股份有限公司 SSL encryption and decryption method, system and computer readable storage medium
CN110380868A (en) * 2019-08-22 2019-10-25 广东浪潮大数据研究有限公司 A kind of communication means, device and communication system and storage medium
CN112235274B (en) * 2020-09-30 2023-01-24 上海艾融软件股份有限公司 Bank-enterprise direct connection system and method supporting multiple encryption algorithms to carry out secure communication
CN112839108B (en) * 2021-03-02 2023-05-09 北京金山云网络技术有限公司 Connection establishment method, device, equipment, data network and storage medium
CN114640447A (en) * 2022-03-25 2022-06-17 广东浪潮智慧计算技术有限公司 Data packet processing method, intelligent network card and storage medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011146742A2 (en) * 2010-05-19 2011-11-24 Akamai Technologies Inc. Edge server http post message processing
CN105991622A (en) * 2015-03-05 2016-10-05 阿里巴巴集团控股有限公司 Message authentication method and device
CN106341417A (en) * 2016-09-30 2017-01-18 贵州白山云科技有限公司 Content delivery network-based HTTPS acceleration method and system
CN106453669A (en) * 2016-12-27 2017-02-22 Tcl集团股份有限公司 Load balancing method and server
CN106657379A (en) * 2017-01-06 2017-05-10 重庆邮电大学 Implementation method and system for NGINX server load balancing

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011146742A2 (en) * 2010-05-19 2011-11-24 Akamai Technologies Inc. Edge server http post message processing
CN105991622A (en) * 2015-03-05 2016-10-05 阿里巴巴集团控股有限公司 Message authentication method and device
CN106341417A (en) * 2016-09-30 2017-01-18 贵州白山云科技有限公司 Content delivery network-based HTTPS acceleration method and system
CN106453669A (en) * 2016-12-27 2017-02-22 Tcl集团股份有限公司 Load balancing method and server
CN106657379A (en) * 2017-01-06 2017-05-10 重庆邮电大学 Implementation method and system for NGINX server load balancing

Also Published As

Publication number Publication date
CN108574687A (en) 2018-09-25

Similar Documents

Publication Publication Date Title
CN108574687B (en) Communication connection establishment method and device, electronic equipment and computer readable medium
KR102392420B1 (en) Program execution and data proof scheme using multi-key pair signatures
JP6869374B2 (en) Decentralized key management for trusted execution environments
CN109347835B (en) Information transmission method, client, server, and computer-readable storage medium
US11563567B2 (en) Secure shared key establishment for peer to peer communications
CN113098838B (en) Trusted distributed identity authentication method, system, storage medium and application
USRE49673E1 (en) Systems and methods for secure data exchange
US8479008B2 (en) Providing security services on the cloud
JP2020528224A (en) Secure execution of smart contract operations in a reliable execution environment
US20210377022A1 (en) Unmanaged secure inter-application data communications
JP2022519681A (en) Security system and related methods
WO2021120871A1 (en) Authentication key negotiation method and apparatus, storage medium and device
WO2016122646A1 (en) Systems and methods for providing data security services
CN116491098A (en) Certificate-based security using post-use quantum cryptography
US20190044922A1 (en) Symmetric key identity systems and methods
CN112822255A (en) Block chain-based mail processing method, mail sending end, receiving end and equipment
CN110690969A (en) Method and system for completing bidirectional SSL/TLS authentication in cooperation of multiple parties
CN110581829A (en) Communication method and device
Kumar et al. Performance modeling for secure migration processes of legacy systems to the cloud computing
CN111859314A (en) SM2 encryption method, system, terminal and storage medium based on encryption software
CN111865948A (en) Peer-to-peer cloud authentication and key agreement method, system and computer storage medium based on anonymous identity
CN110784318A (en) Group key updating method, device, electronic equipment, storage medium and communication system
CN111460463A (en) Electronic deposit certificate storage and notarization method, device, equipment and storage medium
Herrera et al. A key distribution protocol for wireless sensor networks
JP7054796B2 (en) Certificate generation method, certificate generator and computer program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant